Search form

Search form

IRC Botnets Alive, Effective & Evolving

By:Nirmal Singh

April 23, 2015

Introduction

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.

In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.

DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:

"–shell" - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running

If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions.

It first injects a thread into svchost.exe and performs the following actions:

Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.

Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.

It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.

It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.

It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:

DorkBot - Hardcoded Domains

The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.

DorkBot - memory strings

It also creates a remote thread in the “calc.exe” process that performs the following actions:

Creates a mutex with the name “c731200”

Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.

It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:

DorkBot- Random file names

All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.

DorkBot - Encrypted URLs

DorkBot - Pseudocode of decryption function

Below is the full list of URLs from from where it tries to download additional malware:

URL

http://api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif

http://api2[.]wipmania[.]com[.]wipmsc[.]ru/api2.gif

http://api3[.]wipmania[.]com[.]wipmsc[.]ru/api3.gif

http://api4[.]wipmania[.]com[.]wipmsc[.]ru/api4.gif

http://api5[.]wipmania[.]com[.]wipmsc[.]ru/api5.gif

http://api6[.]wipmania[.]com[.]wipmsc[.]ru/api6.gif

http://api7[.]wipmania[.]com[.]wipmsc[.]ru/api7.gif

http://api8[.]wipmania[.]com[.]wipmsc[.]ru/api8.gif

http://api9[.]wipmania[.]com[.]wipmsc[.]ru/api9.gif

http://api[.]wipmania[.]com[.]fowd[.]ru/api.gif

http://api[.]wipmania[.]com[.]selfmg[.]ru/api.gif

http://api[.]wipmania[.]com[.]lotus5[.]ru/api.gif

http://api[.]wipmania[.]com[.]wipmania[.]ru/lkwaxd.gif

http://api[.]wipmania[.]com[.]lotys[.]ru/vjojai.gif

http://api[.]wipmania[.]com[.]bwats[.]ru/ofjtme.gif

http://api[.]wipmania[.]com[.]stcus[.]ru/apsphv.gif

http://api[.]wipmania[.]com[.]cmoen[.]ru/zkmchm.gif

http://api[.]wipmania[.]com[.]artbcon3[.]ru/frflec.gif

http://api[.]wipmania[.]com[.]yeloto[.]ru/zwfmwd.gif

http://update[.]wipmania[.]com[.]raulhost[.]ru/logo.gif

DorkBot

Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:

As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.

Phorpiex - Check via DLL name

Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.

IRCBot.HI - Check via DLL & Product IDs

It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.

2. Creates Mutex

RageBot – It creates a mutex with name “ie”

RageBot - Mutex

Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”.

Phorpiex - Mutex

IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber>

IRCBot.HI - Mutex

3. Installation

RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.

RageBot – Building installation path

If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.

It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.

IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe.

It copies itself to the following P2P & Instant messenger application folders for spreading

\Program Files\LimeWire\Shared

\Program Files\eDonkey2000\incoming

\Program Files\KAZAA

\Program Files\Morpheus\My Shared Folder\

\Program Files\BearShare\Shared\

\Program Files\ICQ\Shared Files\

\Program Files\Grokster\My Grokster\

\My Downloads\

It also searches for RAR files and copies itself inside them.

Phorpiex –

A. Creates a shortcut in a removable device

It checks for all removable devices

Copies itself with a different name

Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file

Hides the malicious file and folder by setting a hidden attribute for both

Phorpiex - Creating Shortcuts

B. Creates an autorun.inf file in removable devices to autorun the malicious file

Checks for all removable devices.

Copies itself with a name of windrv.exe

Creates an autorun.inf file to autorun the malicious file

Phorpiex - Creating autorun.inf file

IRCBot.HI -

We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype.

IRCBot.HI - Skype inject related string

7. IRC based Command & Control communication

All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.

RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:

RageBot - C&C Communication

You can find full list of C&C commands in the appendix section.

Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:

NICK `|USA|hihdlxu

USER x "" "x" :x

Some other commands:

001 -> Sends JOIN #b message to server

PING -> Checks status

.j <channel name> - > Join given channel

bye -> Uninstall bot

Phorpiex - C&C Communication

IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667.

Upon successful connection, it sends the following IRC commands:

PASS ddos

USER <8 char string> <1 digit number> * :<8 char string>

NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>

JOIN #PlanB

Below is a sample of the C&C communication for this bot:

IRCBot.HI - C&C Communication

Conclusion
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.